Update the patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=79
2024-11-02 00:55:18 +00:00 · 2024-11-02 00:55:18 +00:00 · 803cb95998
commit 803cb95998
parent cd88adc808
1 changed files with 37 additions and 68 deletions
--- a/CVE-2024-9287-venv_path_unquoted.patch
+++ b/CVE-2024-9287-venv_path_unquoted.patch
@ -1,4 +1,4 @@
-From 4072b983d36ceccefec931ba614eeffa1a3a4536 Mon Sep 17 00:00:00 2001
+From 1408cc9bf9e8b19968761548c30b78d37074c21c Mon Sep 17 00:00:00 2001
 From: Y5 <124019959+y5c4l3@users.noreply.github.com>
 Date: Tue, 22 Oct 2024 04:48:04 +0800
 Subject: [PATCH] gh-124651: Quote template strings in `venv` activation
@ -10,13 +10,13 @@ scripts. This mitigates potential command injection.
 (cherry picked from commit d48cc82ed25e26b02eb97c6263d95dcaa1e9111b)
 ---
 Lib/test/test_venv.py                                                   |   81 ++++++++++
- Lib/venv/__init__.py                                                    |   64 ++++++-
- Lib/venv/scripts/common/activate                                        |   27 ++-
+ Lib/venv/__init__.py                                                    |   42 ++++-
+ Lib/venv/scripts/common/activate                                        |   10 -
 Lib/venv/scripts/nt/activate.bat                                        |    6 
 Lib/venv/scripts/posix/activate.csh                                     |    8 
- Lib/venv/scripts/posix/activate.fish                                    |    7 
+ Lib/venv/scripts/posix/activate.fish                                    |    8 
 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst |    1 
- 7 files changed, 159 insertions(+), 35 deletions(-)
+ 7 files changed, 135 insertions(+), 21 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst

 --- a/Lib/test/test_venv.py
@ -180,83 +180,46 @@ scripts. This mitigates potential command injection.
         return text
 
     def install_scripts(self, context, path):
-@@ -465,16 +496,19 @@ class EnvBuilder:
-                 dstfile = os.path.join(dstdir, f)
+@@ -466,6 +497,7 @@ class EnvBuilder:
                 with open(srcfile, 'rb') as f:
                     data = f.read()
-                if not srcfile.endswith(('.exe', '.pdb')):
-                    try:
-                        data = data.decode('utf-8')
-                        data = self.replace_variables(data, context)
-                        data = data.encode('utf-8')
-                    except UnicodeError as e:
-                        data = None
-                        logger.warning('unable to copy script %r, '
-                                       'may be binary: %s', srcfile, e)
-                if data is not None:
-+                try:
+                 if not srcfile.endswith(('.exe', '.pdb')):
 +                    context.script_path = srcfile
-+                    new_data = (
-+                        self.replace_variables(data.decode('utf-8'), context)
-+                            .encode('utf-8')
-+                    )
-+                except UnicodeError as e:
-+                    logger.warning('unable to copy script %r, '
-+                                   'may be binary: %s', srcfile, e)
-+                    continue
-+                if new_data == data:
-+                    shutil.copy2(srcfile, dstfile)
-+                else:
-                     with open(dstfile, 'wb') as f:
-                         f.write(data)
-                     shutil.copymode(srcfile, dstfile)
+                     try:
+                         data = data.decode('utf-8')
+                         data = self.replace_variables(data, context)
 --- a/Lib/venv/scripts/common/activate
 +++ b/Lib/venv/scripts/common/activate
-@@ -36,19 +36,26 @@ deactivate () {
- deactivate nondestructive
- 
- # on Windows, a path can contain colons and backslashes and has to be converted:
-if [ "${OSTYPE:-}" = "cygwin" ] || [ "${OSTYPE:-}" = "msys" ] ; then
-    # transform D:\path\to\venv to /d/path/to/venv on MSYS
-    # and to /cygdrive/d/path/to/venv on Cygwin
+@@ -39,14 +39,14 @@ deactivate nondestructive
+ if [ "${OSTYPE:-}" = "cygwin" ] || [ "${OSTYPE:-}" = "msys" ] ; then
+     # transform D:\path\to\venv to /d/path/to/venv on MSYS
+     # and to /cygdrive/d/path/to/venv on Cygwin
 -    export VIRTUAL_ENV=$(cygpath "__VENV_DIR__")
-else
-    # use the path as-is
+    export VIRTUAL_ENV=$(cygpath __VENV_DIR__)
+ else
+     # use the path as-is
 -    export VIRTUAL_ENV="__VENV_DIR__"
-fi
-+case "$(uname)" in
-+    CYGWIN*|MSYS*|MINGW*)
-+        # transform D:\path\to\venv to /d/path/to/venv on MSYS and MINGW
-+        # and to /cygdrive/d/path/to/venv on Cygwin
-+        VIRTUAL_ENV=$(cygpath __VENV_DIR__)
-+        export VIRTUAL_ENV
-+        ;;
-+    *)
-+        # use the path as-is
-+        export VIRTUAL_ENV=__VENV_DIR__
-+        ;;
-+esac
+    export VIRTUAL_ENV=__VENV_DIR__
+ fi
 
 _OLD_VIRTUAL_PATH="$PATH"
 -PATH="$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH"
 +PATH="$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH"
 export PATH
 
-+VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
-+export VIRTUAL_ENV_PROMPT
-+
 # unset PYTHONHOME if set
- # this will fail if PYTHONHOME is set to the empty string (which is bad anyway)
- # could use `if (set -u; : $PYTHONHOME) ;` in bash
-@@ -59,7 +66,7 @@ fi
+@@ -59,9 +59,9 @@ fi
 
 if [ -z "${VIRTUAL_ENV_DISABLE_PROMPT:-}" ] ; then
     _OLD_VIRTUAL_PS1="${PS1:-}"
 -    PS1="__VENV_PROMPT__${PS1:-}"
-+    PS1="("__VENV_PROMPT__") ${PS1:-}"
+    PS1=__VENV_PROMPT__"${PS1:-}"
     export PS1
-     VIRTUAL_ENV_PROMPT="__VENV_PROMPT__"
+-    VIRTUAL_ENV_PROMPT="__VENV_PROMPT__"
+    VIRTUAL_ENV_PROMPT=__VENV_PROMPT__
     export VIRTUAL_ENV_PROMPT
+ fi
+ 
 --- a/Lib/venv/scripts/nt/activate.bat
 +++ b/Lib/venv/scripts/nt/activate.bat
@@ -8,7 +8,7 @@ if defined _OLD_CODEPAGE (
@ -291,7 +254,6 @@ scripts. This mitigates potential command injection.
 set _OLD_VIRTUAL_PATH="$PATH"
 -setenv PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__:$PATH"
 +setenv PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__":$PATH"
-+setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 
 
 set _OLD_VIRTUAL_PROMPT="$prompt"
@ -299,13 +261,14 @@ scripts. This mitigates potential command injection.
 if (! "$?VIRTUAL_ENV_DISABLE_PROMPT") then
 -    set prompt = "__VENV_PROMPT__$prompt"
 -    setenv VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
-+    set prompt = "("__VENV_PROMPT__") $prompt:q"
+    set prompt = __VENV_PROMPT__"$prompt"
+    setenv VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 endif
 
 alias pydoc python -m pydoc
 --- a/Lib/venv/scripts/posix/activate.fish
 +++ b/Lib/venv/scripts/posix/activate.fish
-@@ -33,10 +33,11 @@ end
+@@ -33,10 +33,10 @@ end
 # Unset irrelevant variables.
 deactivate nondestructive
 
@ -315,19 +278,25 @@ scripts. This mitigates potential command injection.
 set -gx _OLD_VIRTUAL_PATH $PATH
 -set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH
 +set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH
-+set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__
 
 # Unset PYTHONHOME if set.
 if set -q PYTHONHOME
-@@ -56,7 +57,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
+@@ -56,7 +56,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
         set -l old_status $status
 
         # Output the venv prompt; color taken from the blue of the Python logo.
 -        printf "%s%s%s" (set_color 4B8BBE) "__VENV_PROMPT__" (set_color normal)
-+        printf "%s(%s)%s " (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal)
+        printf "%s%s%s" (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal)
 
         # Restore the return status of the previous command.
         echo "exit $old_status" | .
+@@ -65,5 +65,5 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
+     end
+ 
+     set -gx _OLD_FISH_PROMPT_OVERRIDE "$VIRTUAL_ENV"
+-    set -gx VIRTUAL_ENV_PROMPT "__VENV_PROMPT__"
+    set -gx VIRTUAL_ENV_PROMPT __VENV_PROMPT__
+ end
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
@@ -0,0 +1 @@